Match nested paths for insensitive actuators

Update `ManagementWebSecurityAutoConfiguration` to match nested path
for insensitive actuators.

Prior to this commit, when Spring Security was on the classpath
nested paths were considered sensitive (even if the actuator
endpoint was not sensitive). i.e. when setting
`endpoints.env.sensitive=false` `/env` could be accessed without
authentication but `/env/user` could not.

Fixes gh-7868
Closes gh-7881

spring-boot-actuator/src/main/java/org/springframework/boot/actuate/autoconfigure/ManagementWebSecurityAutoConfiguration.java

@@ -1,5 +1,5 @@
 /*
- * Copyright 2012-2016 the original author or authors.
+ * Copyright 2012-2017 the original author or authors.
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -257,10 +257,11 @@ public class ManagementWebSecurityAutoConfiguration {
 
 		private void configurePermittedRequests(
 				ExpressionUrlAuthorizationConfigurer<HttpSecurity>.ExpressionInterceptUrlRegistry requests) {
+			requests.requestMatchers(new LazyEndpointPathRequestMatcher(
+					this.contextResolver, EndpointPaths.SENSITIVE)).authenticated();
 			// Permit access to the non-sensitive endpoints
 			requests.requestMatchers(new LazyEndpointPathRequestMatcher(
 					this.contextResolver, EndpointPaths.NON_SENSITIVE)).permitAll();
-			requests.anyRequest().authenticated();
 		}
 
 	}
@@ -276,6 +277,15 @@ public class ManagementWebSecurityAutoConfiguration {
 				return !endpoint.isSensitive();
 			}
 
+		},
+
+		SENSITIVE {
+
+			@Override
+			protected boolean isIncluded(MvcEndpoint endpoint) {
+				return endpoint.isSensitive();
+			}
+
 		};
 
 		public String[] getPaths(EndpointHandlerMapping endpointHandlerMapping) {
@@ -289,12 +299,9 @@ public class ManagementWebSecurityAutoConfiguration {
 					String path = endpointHandlerMapping.getPath(endpoint.getPath());
 					paths.add(path);
 					if (!path.equals("")) {
-						if (endpoint.isSensitive()) {
-							// Ensure that nested paths are secured
-							paths.add(path + "/**");
-							// Add Spring MVC-generated additional paths
-							paths.add(path + ".*");
-						}
+						paths.add(path + "/**");
+						// Add Spring MVC-generated additional paths
+						paths.add(path + ".*");
 					}
 					paths.add(path + "/");
 				}

spring-boot-samples/pom.xml

@@ -115,6 +115,7 @@
 		<module>spring-boot-sample-websocket-undertow</module>
 		<module>spring-boot-sample-webservices</module>
 		<module>spring-boot-sample-xml</module>
+		<module>spring-boot-sample-hypermedia-ui-secure</module>
 	</modules>
 	<!-- No dependencies - otherwise the samples won't work if you change the
 		parent -->

spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/pom.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<parent>
+		<artifactId>spring-boot-samples</artifactId>
+		<groupId>org.springframework.boot</groupId>
+		<version>1.5.0.BUILD-SNAPSHOT</version>
+	</parent>
+	<modelVersion>4.0.0</modelVersion>
+	<artifactId>spring-boot-sample-hypermedia-ui-secure</artifactId>
+	<name>Spring Boot Hypermedia UI Secure Sample</name>
+	<description>Spring Boot Hypermedia UI Secure Sample</description>
+	<properties>
+		<main.basedir>${basedir}/../..</main.basedir>
+	</properties>
+	<dependencies>
+		<!-- Compile -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-actuator</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-security</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-hateoas</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-actuator-docs</artifactId>
+		</dependency>
+		<!-- Test -->
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+	</dependencies>
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+</project>

spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/main/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplication.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.hypermedia.ui.secure;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class SampleHypermediaUiSecureApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(SampleHypermediaUiSecureApplication.class, args);
+	}
+
+}

spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/main/resources/static/index.html

@@ -0,0 +1,5 @@
+<html>
+<body>
+	<h1>Hello World!</h1>
+</body>
+</html>

spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/test/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplicationTests.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.hypermedia.ui.secure;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = {
+		"endpoints.env.sensitive=false" })
+public class SampleHypermediaUiSecureApplicationTests {
+
+	@Autowired
+	private TestRestTemplate restTemplate;
+
+	@Test
+	public void links() {
+		String response = this.restTemplate.getForObject("/actuator", String.class);
+		assertThat(response).contains("\"_links\":");
+	}
+
+	@Test
+	public void testInSecureNestedPath() throws Exception {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/env",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.OK);
+		ResponseEntity<String> user = this.restTemplate.getForEntity("/env/user",
+				String.class);
+		assertThat(user.getStatusCode()).isEqualTo(HttpStatus.OK);
+		assertThat(user.getBody()).contains("{\"user\":");
+	}
+
+	@Test
+	public void testSecurePath() throws Exception {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/metrics",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+	}
+}

spring-boot-samples/spring-boot-sample-hypermedia-ui-secure/src/test/java/sample/hypermedia/ui/secure/SampleHypermediaUiSecureApplicationWithContextPathTests.java

@@ -0,0 +1,52 @@
+/*
+ * Copyright 2012-2017 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package sample.hypermedia.ui.secure;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.boot.test.web.client.TestRestTemplate;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.junit4.SpringRunner;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT, properties = {
+		"management.context-path=/admin" })
+public class SampleHypermediaUiSecureApplicationWithContextPathTests {
+
+	@Autowired
+	private TestRestTemplate restTemplate;
+
+	@Test
+	public void links() {
+		String response = this.restTemplate.getForObject("/admin", String.class);
+		assertThat(response).contains("\"_links\":");
+	}
+
+	@Test
+	public void testSecurePath() throws Exception {
+		ResponseEntity<String> entity = this.restTemplate.getForEntity("/admin/metrics",
+				String.class);
+		assertThat(entity.getStatusCode()).isEqualTo(HttpStatus.UNAUTHORIZED);
+	}
+
+}